Sophos Anti-Virus for Linux v9: Fanotify Overview

Article ID:
118216

Rating:

11 customers rated this article 5.7 out of 6

Updated:
16 Apr 2015

Fanotify is a file access notification system built-in to later Linux kernels. This kernel feature allows Sophos Anti-Virus to scan files On-Access and if necessary block access to threats. This article gives further details on the supported environments for Fanotify and Sophos Anti-Virus

Known to apply to the following Sophos product(s) and version(s)Sophos Anti-Virus for Linux v9.0

Operating systems Linux

Fanotify Overview

Support for Fanotify is included in Sophos Anti-Virus version 9.7.x and higher. This provides an alternative to Talpa - the current On-Access kernel interface.

With Fanotify, On-Access scanning is available on any 2.6.37+ kernel. It will not be necessary for Sophos to include a binary pack for each kernel/new distribution or for a module to be compiled locally.

Note: Kernels 3.15 and higher are not yet supported by SAV for Linux due to a known issue, Sophos is working with the community to fix this and Sophos Anti-Virus for Linux v9.8 will support these Kernels. In the interim, where possible, we would recommend using talpa for on access scanning.

Support for Fanotify is included for Sophos Anti-Virus up to version 9.6.1.

Default kernel interface module

At present Talpa is still the default kernel interface module for On-Access scanning. Sophos provide Talpa Binary Packs for all supported distributions/kernels - so Fanotify is not used by default.

Enabling Fanotify

To enable the Fanotify functionality, follow the steps below. Fanotify will be used as a fallback method if a Talpa Binary Pack cannot be loaded/compiled.

Run the following command:/opt/sophos-av/bin/savconfig set DisableFanotify false

Restart SAV:/etc/init.d/sav-protect restart

Using Fanotify as the default kernel interface

If required, Fanotify can be set as the default kernel interface and will be used in preference to Talpa. These steps should be followed for users wishing to use Fanotify functionality instead of Talpa.

Run the following command:/opt/sophos-av/bin/savconfig set PreferFanotify true

Restart SAV:/etc/init.d/sav-protect restart

Further information

Use of Fanotify with Sophos Anti-Virus is fully supported for on-access scanning, however the following caveats apply:

Fanotify is built-in to the kernel and not developed by Sophos. Behaviour with Fanotify may differ to Talpa.

Fanotify is updated via kernel updates. Behaviour with Fanotify may differ depending on kernel version

Some distributions may turn off Fanotify within their Kernels. Sophos has no control over this.

If you experience any unexpected behaviour or issues with Fanotify please contact Sophos support, known issues are listed below.

Known issues

Fanotify is not supported on kernels 3.15 or higher with any current version Sophos Anti-Virus for Linux

Work around – Please use Sophos supplied or locally compiled Talpa Binary Packs instead of Fanotify

Debian 7 does not support Fanotify, the kernel extensions are turned off by the distribution

Work around - Please compile talpa binary packs locally for this platform see KB13503

All NFSv4 access is blocked when scanning with Fanotify – This is a filesystem issues and Sophos is working to fix this issue with the Linux Community

Work around – Use talpa with NFSv4 or switch to NFSv3

30s delay of file create and "Operation not permitted" errors with fanotify and cifs – This is a kernel issue and Sophos is working with the Linux community to fix this issue

Work around – Disable CIFS oplocks, exlude the CIFS share from on-access scanning or use Talpa instead of Fanotify